ibm-result.jp

Linux 2.6 内核上配置IPSec VPN 的工具

Mon Oct 26 1998 - Fri Oct 30 1998

vs SSH http://isakmp-test.ssh.fi/
	$B$A$c$s$H%/%j%C%/$7$F@_Dj$9$l$PF0$/!#$9$2JXMx!#(B

	SSH -> KAME
		phase 1: DES+MD5
		phase 2: DES+MD5
			$B:G8e$^$G$-$A$s$H$$$1$k!#(B

		phase 1: 3DES+MD5 (final cipher key$B@8@.$G(BSEGV$B$7$F$$$?$,=$@5:Q$_(B)
		phase 2: DES+MD5
			quick mode3$BH/L\(B(SSH -> KAME)$B$,(BKAME$BB&$G$[$I$1$J$$!#(B
			$B$I$&$d$i!"(Bisakmp-test.ssh.fi$B$KF~$C$F$k<BAu$,(B
			$B$A$g$C$H8E$$$i$7$$!#:G?7$N<BAu$H$d$C$F$_$?$i(B
			$B@.8y$7$?!#$@$+$i$^$"$$$$$+!#(B

	KAME -> SSH
		phase 1: DES+MD5
		phase 1: 3DES+MD5 (final cipher key$B@8@.$G(BSEGV$B$7$F$$$?$,=$@5:Q$_(B)

		phase 2$B$O(BPFS$B$7$J$$$H7y$o$l$k!#%/%j%C%/$N$7$+$?$,B-$j$J$$(B?

vs NIST linux IPsec + plutoplus
	NIST -> KAME
		phase 2: ESP DES+hmac-MD5$B$G!"(BKEYMAT$B$N<hF@$N$7$+$?$,0-$+$C$?(B
			-> $B=$@5:Q$_(B
		phase 2: initiator$B$,!V(BPFS$B$7$J$/$F$$$$!W$H8@$C$F$k$N$K(B
			KE payload$B$r$D$1$F$$$?(B -> $B=$@5:Q$_(B
		$B$&$^$/$$$C$?!#(BESP DES+hmac-MD5
	KAME -> NIST
		NIST$B$O(Bproposal$B$rJ#?tEj$2$k$HF0$+$J$$!#=$@5Cf$i$7$$!#(B
		PFS$B4X78$NLdBj$OBP(BRedCreek$B$G=$@5:Q$_!#(B
		$B$&$^$/$$$C$?!#(BESP 3DES+hmac-SHA1

vs Checkpoint
	tunnel mode$B$N$_!"F;>lGK$j$G$-$:(B

vs RedCreek
	KAME$B$O80$N(Brenew$B$,$G$-$J$$!#(B
	RedCreek$B$O(BIPsec+fragment$B$G(Bping$B$7$F$bJV;v$7$J$$!#@hJ}$O(Brouter$BLr$G!"(B
	$B$I$&$b(Btunnel$B$N1|9T$-$N(Bfragment$B$O$A$c$s$H=hM}$9$k$,!"<+J,08$N(B
	fragment$B$O=hM}$7$F$/$l$J$$$h$&$@!#(B
	RedCreek$B$O(Bphase 1$B$N(BDH group$B$H!"(Bphase 2$B$N(BPFS DH group$B$,F1$8$H;W$C$F$k!#(B

	RedCreek -> KAME
		ok
	KAME -> RedCreek
		phase 2$B$G(BKAME -> RC$B$N(Bquick mode1$BH/L\$rEj$2$?$H$3$m$G$X$/$k!#(B
		PFS$B$7$h$&$H8@$C$F$$$k$N$K(BKE payload$B$H$+(BDH group$B$r$D$1$F$$$J$$!#(B
			-> $B$3$l$+$iD>$7(B

		$B?eMK8a8e!"D>$7$?!#$A$c$s$HF0$$$?!#(B

vs Secure Computing
	KAME -> Secure Computing
		$B$5$C$/$j(Bok$B!#(B
		phase1 DES+MD5
		phase2 ESP DES+hmac-md5

	Secure Computing -> KAME
		phase1 DES+SHA1
		phase2 ESP DES+hmac-md5
			ok
		phase1 3DES+SHA1
			$B%@%a!#B?J,(BSecure Computing$B$N(B3DES$B$,%P%0$C$F$k!#(B
			(KAME vs SSH$B$N<+F01?E>$O(Bok)
			$B$"$C$A$N(Bparity bit(2^0)$B$,2x$7$$(B?
			$BMbF|(B($BLZMK(B)$B$d$j$J$*$7$?$i$G$-$?!#$J$s$@(B?

	phase1$B$N(Bproposal$B$NJV$7J}$r%(%s%P%0$7$F$?$N$GD>$7$^$7$?!#(B

vs FreeS/WAN
	KAME -> S/WAN	OK
		phase1 DES+MD5
		phase2 ESP DES+none
		Phase 1 $B$G$OBt;3(Bproposal$B$rEj$2$D$1$F$O%@%a!#(B-> ibm.conf $B$r=$@5!#(B
		pluto $B$N(B life duration $B$N2r<a$,4V0c$C$F$$$?!#(B
	S/WAN -> KAME	N/A
		transport mode $B$G(B initiate $B$G$-$J$$!#(B
		racoon $B$O(B tunnel mode $B$N80$rFM$C9~$a$J$$!#(B

vs Netscreen
	Netscreen -> KAME	OK
		phase1 DES+SHA1
		phase2 ESP DES+none
	KAME -> Netscreen	NG
		phase 2 $B$G(B netscreen $B$K(B mulformed payload $BJV$5$l$k!#(B
			-> netscreen $BD4$YCf!#(B
			   $B$J$s$H$J$/(B multi transform $B$KBP1~$7$F$$$J$$MM;R!#(B

vs Data Fellows (F-Secure$B:n$C$F$$$k$H$3(B)
	KAME -> Data Fellows	OK
		phase1 DES+MD5
		phase2 ESP DES+HMAC-MD5
		proposal number $B$O(B 1,2,3,..$B$H8@$&$N$G(B ibm.conf $B$GF($2$k!#(B
		$B$?$^$K(B ESP Authentication failed $B$,=P$k!#ITL@!#(B
	Data Fellow -> KAME	OK
		phase1 $B$N(B 3DES $B$r;H$C$?$i(B1$B2s$@$1<:GT$7$?!#:F8=$;$:!#(B
			parity bit $BLdBj!)(B
		phase2 $B$N(B HASH(2) $B$K<:GT$9$k!#(B
			IDii,IDir$B$rIU$1$k=hM}$r$$$$2C8:$K$7$F$?!#(B-> $B=$@5(B

vs Routerware
	phase 1$B$N(BDH group$B$H!"(Bphase 2$B$N(BPFS DH group$B$,F1$8$H2>Dj$7$F$$$k$h$&$@!#(B

	KAME -> Routerware
		phase 1(DES+MD5)$B!":G=i$N0E9f2=$5$l$?%Q%1%C%H(B(3$B1}I|L\$N9T$-(B)$B$r(B
		Routerware$B$,$[$I$1$J$$!#8~$3$&$O(Blog$B$,A4A3$G$J$$(B...
		$B$K$$$A$c$s$OHS$K$$$/$H9T$C$F5"$C$F$7$^$C$?!#L@F|:F;n9g!#(B

	$B7k6I$d$l$J$$$^$^5"$C$F$7$^$C$?!#$7$/$7$/!#(B

vs Shiva
	tunnel mode$B$N$_(B

vs Intel (only IKE)
	KAME -> Intel	OK
		phase1 DES MD5
		phase2 AH SHA1

		Intel $B$G(B acceptable $B$J$N$K(B no supported payload $B$,=P$F$?!#(B
		$B$=$N(B Informational Exchange $B$N(B decode $B$K(B racoon $B$,<:GT!#(B
			-> Informational $B$N(B IV $B$O(B phase1 $B$+$iD>$G:n$k!#(B
			-> Intel $B$O5/0x(Bexchange$B$N(B M-ID $B$HF1$8(BM-ID$B$r;H$C$F$$$k!#(B
	Intel -> KAME	OK
		phase1 DES MD5
		phase2 AH SHA1

vs Microsoft WinNT(Win2000 :-P)
	DELETE payload$B$,Mh$?$1$I=hM}$K<:GT!#<BAu$O$9$3$7D>$7$?$,(B
	$B%F%9%H$7$F$$$J$$!#(B

	Microsoft -> KAME 
		phase 1: DES+MD5
		phase 2: ESP(DES+MD5)

		phase 2$B$"$?$^$N(BID payload$B$N=hM}$KLdBj$,$"$C$?$N$GD>$7$?$i(B
		$B$A$c$s$HF0$$$?!#(B

	KAME -> Microsoft
		phase 1: DES+MD5
		phase 2: ESP(DES+MD5)

		phase 2$B$N:G8e$,40N;$7$J$$!#M}M3$O!"(Bcommit bit$B$D$-$N%Q%1%C%H$r(B
		$B<N$F$F$$$k$?$a!#(Bsupport$B$7$F$J$$$D$b$j$J$i!"(Bcommit bit$B$rL5;k$7$F(B
		$B=hM}$9$Y$-!#(B

vs IBM AIX
	KAME -> IBM
		phase 1 3DES+MD5
		phase 2 AH(hmac-SHA1)

		encryption mode attribute$B$r$D$1K:$l$?!#(Bconfig file$B$K(B
		$B=q$$$?$iDL$C$?!#(B

	IBM -> KAME
		phase 1 3DES+MD5
		phase 2 AH(hmac-SHA1)

		$B$5$C$/$j(Bok

vs KAME
	phase 1: 3DES+MD5
	phase 2: AH(hmac-SHA1) + ESP(DES+hmac-MD5)

	NOTE: phase 2$B$K$D$$$F$O8DJL$K%M%4!#(B
	ping -f$B!"(Btelnet chargen$B$H$b$P$C$A$7!#(B
	$B$?$^!<$K(B
	- ah checksum error
	- $B=i4|2=IT==J,$J(BSA$B$,(B{esp,ah}_output$B$KEO$k(B("no replay field")
	$B$,5/$-$k!#$J$<$@!#(B

	2054652 inbound processes succeeded
	0 inbound process's security policy violation
	214 inbound SA is unavailable
	0 inbound processing failed due to EINVAL
	0 failed getting a SPI
	0 inbound packets failed on AH replay check
	0 inbound packets failed on ESP replay check
	1027563 inbound AH packets considered authentic
	3 inbound AH packets failed on authentication
	1027036 inbound ESP packets considered authentic
	0 inbound ESP packets failed on authentication
	AH input histogram:
		hmac SHA1: 1027566
	ESP input histogram:
		DES CBC: 1027089
	1929501 succeeded outbound process
	0 outbound process's security policy violation
	13956 outbound SA is unavailable
	17 outbound processes failed due to EINVAL
	0 packets without route
	AH output histogram:
		hmac SHA1: 964909
	ESP output histogram:
		DES CBC: 964592

manual keying
=============
vs NIST
	RC5-cbc: $B$P$C$A$j(B

vs SSH
	CAST128-cbc: $B$@$a(B
		SSLeay$B$N!V80D9$,C;$$$H$-$N(Bround$B?tLdBj(B?$B!W$N$?$a$+(B?
		mail$B$GLd$$9g$o$;Cf(B(11/1)

		KAME$B$N(Bsys/crypto$B$K%P%0$"$j!#=$@5:Q$_!#(B

vs Ericsson ACC (mobile-ip$B$7$F$k$R$H$H$N4X78$OITL@(B)
	(manual keying$B!"(BAH tunnel)
	Ericcson$B<BAu$O(Bfragment$B$5$l$F$$$k%Q%1%C%H$,$/$k$H(Bcore dump$B$7$F$$$?$,!"(B
	$B=$@5$5$l$?!#(B

vs Freeswan
	==+=======================+==209.154.161.0/24
	  |184			  |149
	freeswan router		kame router
	  |?			  |2
	==+==10.161.184.0/24	==+==10.161.149.0/24
	  |1			  |1
	host			host

	DF bit$B$N@)8f$r3NG'$7$h$&$H;W$C$?$,$$$^$$$A3NG'$G$-$:!#(B
	$B;v<B(B1: freeswan router$B$O!"<+J,$N(Bipsec tunnel$B$N(Bmtu$B$r(B1404$B$@$H;W$C$F$k(B
		-> $B$3$N$;$$$+!"$A$g$C$H(Bfragment$B$7$9$.$N%1$"$j(B
	$B;v<B(B2: freeswan host$B$O!"(Bkame host$B08$N(BTCP mss$B$,(B1364$B$@$H;W$C$F$k(B
	$B;v<B(B3: freeswan host$B$O!"(Bkame router$B$+$iAw$i$l$k(Bicmp need fragment$B$r(B
		$B$I$3$+$KCy$a$F$$$k$,!"$I$3$KCy$a$F$k$N$d$i$5$C$Q$j$o$+$i$J$$(B
	kame$B$N(BDF bit$B=hM}$N5sF0$rD4$Y$k$K$O!"=i2s$K$7$+=P$J$$(Bicmp need
	fragment$B$r$D$+$^$($J$$$H$$$1$J$$$,!"$D$+$^$($i$l$J$+$C$?!#(B
	$B$H$j$"$($:!"(Btelnet chargen$B$7$?$H$-$N(Blog$B$rN>B&$H$C$?$N$rE:IU!#(B

--- on kame host
03:40:30.840690 0:0:86:5:80:da 0:10:4b:a2:8b:aa 0800 74: 10.161.149.1.1167 > 10.161.184.1.19: S 1110010782:1110010782(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 39628 0> (DF) [tos 0x10] (ttl 64, id 259)
03:40:30.843568 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 60: 10.161.184.1.19 > 10.161.149.1.1167: S 3191535599:3191535599(0) ack 1110010783 win 32736 <mss 1364> (ttl 62, id 61263)
								       ~~~~
03:40:30.843925 0:0:86:5:80:da 0:10:4b:a2:8b:aa 0800 60: 10.161.149.1.1167 > 10.161.184.1.19: . ack 1 win 9548 (DF) [tos 0x10] (ttl 64, id 260)
03:40:30.848227 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 128: 10.161.184.1.19 > 10.161.149.1.1167: P 1:75(74) ack 1 win 32736 (DF) [tos 0x10] (ttl 62, id 61264)
03:40:30.857492 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 1418: 10.161.184.1.19 > 10.161.149.1.1167: P 75:1439(1364) ack 1 win 32736 (DF) [tos 0x10] (ttl 62, id 61265)

--- on freeswan host
tcpdump: listening on eth0
12:18:47.780450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 74: 10.161.149.1.1184 > 10.161.184.1.19: S 1540282774:1540282774(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 44145 0> (DF) [tos 0x10]
12:18:47.780450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 58: 10.161.184.1.19 > 10.161.149.1.1184: S 400137676:400137676(0) ack 1540282775 win 32736 <mss 1364>
12:18:47.790450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 60: 10.161.149.1.1184 > 10.161.184.1.19: . ack 1 win 9548 (DF) [tos 0x10]
12:18:47.790450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 128: 10.161.184.1.19 > 10.161.149.1.1184: P 1:75(74) ack 1 win 32736 (DF) [tos 0x10]
12:18:47.790450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 75:1439(1364) ack 1 win 32736 (DF) [tos 0x10]
12:18:47.940450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 60: 10.161.149.1.1184 > 10.161.184.1.19: . ack 1439 win 9548 (DF) [tos 0x10]
12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 1439:2803(1364) ack 1 win 32736 [tos 0x10]
12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 2803:4167(1364) ack 1 win 32736 [tos 0x10]
12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 4167:5531(1364) ack 1 win 32736 [tos 0x10]


	AH tunnel(hmac-MD5) freeswan router <-> kame router$B4V(B
		host-host$B$N(Bping -f$B$b$A$c$s$HF0$/!#(B

	AH tunnel(hmac-SHA1)
		$B$@$a$@$a!#(Bfreeswan$B$N%P%0!"$^$?$O80@_Dj<:GT!#(B

	ESP tunnel(DES+hmac-MD5):
		kame router$B$N%P%0(B(snap-users$B;2>H(B)$B$N$;$$$G:G=iF0$+$J$+$C$?$,!"(B
		$BD>$7$?!#$P$C$A$jF0$$$?!#(B
		ping -f$B$N(Bpacket loss$BN((B25%
			freeswan router$B$,$?$C$W$j(Blog$B$r$H$C$F$k$;$$(B?

	AH transport(hmac-MD5) freeswan router <-> kame router$B4V(B
		$B;n$7$?!#F0$$$?!#(B

	freeswan$B$G$O!"APJ}8~$N80$O$*$J$8$H2>Dj$7$F$$$k(B($B$$$?(B)$B$i$7$$!#(B
	$B:G6aD>$7$?$i$7$$$N$G!"=y!9$K$G$-$k$h$&$K$J$C$F$$$kLOMM!#(B